ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
Size

2.7MB
MD5

789c75b7bfea0a1e2b2227ffec608069
SHA1

a3150d633c325152cadd4780e25651f6ade2ddb6
SHA256

ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8
SHA512

ef50ecb0a1bdf6b096f75883c48e69d1d627fa2d6dc5505852c23ac0b19c5059f652697ff95b4395ecc94fe7bfa90fd52ad695f5181e0784379443384a45f0af
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBN9w4Sx:+R0pI/IQlUoMPdmpSpp4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1716	xbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCW\\xbodsys.exe"	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFN\\optixec.exe"	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
1716	xbodsys.exe
1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1716	1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe	28
PID 1444 wrote to memory of 1716	1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe	28
PID 1444 wrote to memory of 1716	1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe	28
PID 1444 wrote to memory of 1716	1444	ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe	28

C:\Users\Admin\AppData\Local\Temp\ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe
"C:\Users\Admin\AppData\Local\Temp\ab11b92903491212763f8f6a098b13680c9876999659518701e51f8b0908afd8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444
- C:\AdobeCW\xbodsys.exe
  C:\AdobeCW\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
16e686cd6364cec44df2749d1087357f

SHA1
7d52a9a3ac8b6db87696b75d3db5b6c802c28e2a

SHA256
71f2bb9f05c5daf92f329c94c2766ea0a75fde0fd1cbc7ef2e97dbb02fa2b386

SHA512
4ea85da14c0e431dc9390069b125875cf2cfa0f0e0157ebeb83365d831801f44ce53b52c32d532c8ef373b783272db5a6455ffd3c187fac17da8fe8970cb3f3f

Download Submit
C:\VidFN\optixec.exe

Filesize
2.7MB

MD5
d5848aca6c38b65ab9191453d6557933

SHA1
3840ba55cc331da6eef40d913bc2a344eea03160

SHA256
a5316d71d61c741472fd2a1ee8c710e9c9149a52b3df08f8c37f6b458eb56627

SHA512
87be4aaa4286680f1cffa712d34863b0926120b7fe60f25ce07bc143617d9b8300ef6548e6e795431c1c6a428668cd23626cd80725ff9eeebcfe894a744955f6

Download Submit
\AdobeCW\xbodsys.exe

Filesize
2.7MB

MD5
5e65ad0c502e473a2949bb76fbe03bd4

SHA1
d6b46f9a013638b44b0ae2811db617fed40aee62

SHA256
8c8fc96973fdb7bc653ecc7364324fe4db4fde30bbd85605b4311f504e5fd3fb

SHA512
794c96b856964826794a2e3c46befdd0ed205a82ad273c6d59178180977a3f91aeae9d25b42dbb1a6190e9031c93bbb809d55c2514c073ef415e4179cf27eaf3

Download Submit